Executing AppleScript without asking for Admin account

rongrw
New Contributor

Hi Guys,

We've recently come across an issue where PDF files are no longer opened in Safari after installing Adobe Creative Cloud applications. To remedy this problem, I intend to delete the relevant PDF plugins, and have written the following AppleScript code.

-- Delete the PDF plugins for Safari that were
-- installed by the Adobe Creative Suite.
-- R. Grunwald, Mar 2015
-- 
set pdf_plugin1 to alias "Macintosh HD:Library:Internet Plug-Ins:AdobePDFViewer.plugin"
set pdf_plugin2 to alias "Macintosh HD:Library:Internet Plug-Ins:AdobePDFViewerNPAPI.plugin"

tell application "Finder"
    delete pdf_plugin1
    delete pdf_plugin2
end tell

My intention is to execute this code after our Adobe CCP package has been installed by a self-service policy. However, the problem that's emerged is that an authentication box appears asking for an administrator account. That's perfectly understandable, but my question is can AppleScript be executed by an admin user under the hood, much like Shell script is executed by "root", and thereby suppress the auth. dialog?

Any suggestions would be most appreciated.

Cheers,
Ron.

10 REPLIES 10

mpermann
Valued Contributor II

@rongrw, why not just use a shell script? A couple rm commands would do what you want pretty easily. Is there some reason why you must use an AppleScript?

Damien
New Contributor

@rongrw in some old scripts we were using we appended with administrator privileges not sure if this will help
i.e.

if myvar contains "Airport" then

do shell script "networksetup -setautoproxyurl Airport http://server/wpad.dat" with administrator privileges

end if

rongrw
New Contributor

Hi @mpermann

> why not just use a shell script? A couple rm commands would do what you want pretty easily.
> Is there some reason why you must use an AppleScript?

Its purely personal preference that I'm using AppleScript. I find AppleScript code more readable than Shell script syntax, and also find the AppleScript Editor a very useful and convenient tool. Casper clearly supports AppleScript, and so I assumed that it would execute with admin privileges on client Macs in the same way as shell scripts execute under "root".

Thanks for your suggestion.

Cheers,
Ron.

notverypc
New Contributor III

You could include the password within the AppleScript.

set thePassword to "Password" as string
    do shell script <<YourCommand>> ¬
        password thePassword with administrator privileges

If you save the script as a "run-only" application the password will be hidden.

RobertHammen
Valued Contributor II

My maxim is, the least you can do with AppleScript, the better off you are.

I also wouldn't save a password in a run-only script. Can easily be edited/viewed and the password obtained.

iJake
Valued Contributor

We can appreciate that you are more comfortable with AppleScript but for something like this Shell script is the way to go and we would be more than happy to help.

bentoms
Release Candidate Programs Tester

@rongrw][/url, I think the issue is with it being in a "tell application Finder" block.

I'm a big fan of AppleScript, but heavily lean on "do shell script"

As an example, AutoCasperNBI is most "do shell script" commands: https://github.com/macmule/AutoCasperNBI/blob/master/AutoCasperNBI/AutoCasperNBIAppDelegate.applescr...

rongrw
New Contributor

Hi guys,

Many thanks for all your responses. A few people have mentioned the <with administrator privileges> clause, but it only applies to Shell code executed within AppleScript, which I didn't want. It does seem that AppleScript code cannot be executed under a local admin user in the background while logged in under a normal, unprivileged account. That's fine - Apple engineered it that way, probably for a good reason.

What I'm taking away from this discussion is that modifications to the currently logged in user's home folder can be scripted with pure AppleScript, but any modifications outside the home folder should be scripted with Shell code. Feel free to correct me if I've got this wrong.

Cheers,
Ron.

RobertHammen
Valued Contributor II

Nope, that is exactly right.

You could have a LaunchAgent run which opens the AppleScript (runs at login as the user)...

davidacland
Honored Contributor II

Hi @rongrw

You can use either scripting language for either task but my preference is:

  • Shell script for silent actions
  • Applescript when I want to interact with the user (dialog boxes asking for input etc)

In this case I would have a script that looks like this:

#!/bin/sh

rm "/Library/Internet Plug-Ins/AdobePDFViewer.plugin"
rm "/Library/Internet Plug-Ins/AdobePDFViewerNPAPI.plugin"

exit 0

Add the script to a policy and scope it to run once on a smart group of computers that have Adobe CC installed.

Casper policies are run as root so there shouldn't be any permission obstacles to stop it.